WordPress has gained tremendous popularity over the past 5-6 years since WordPress 3.0 introduced custom post types and the ability to easily add new consistent data structures for your application. Some site builders using other CMS or frameworks back then gave it a try, and some of them joined the large community of people offering web solutions online.
The other alternatives had various quirks and limitations and it was close to impossible to provide a complete web solution without skills. Joomla was the most mature option with the lowest learning curve, but it lacked certain features and had some cumbersome options that required various customizations even for fairly straight-forward solutions. Since that hasn’t changed too much lately, they own less than 3% of the web market while WordPress is close to 25% of the same market.
How well do you know the internals of WordPress and the themes and plugins that you use? @no_fear_inc
And as WordPress emerged as a blogging platform, at first many saw it to be the “blogging platform on steroids” that now allows you to build actual websites. Alongside the number of free or low-cost plugins available, the fact that there were thousands of amusing themes and that bloggers were already acquainted with it, WordPress suddenly became the “go to” solution for marketers, bloggers, non-technical startup owners and others without any technical education. There are now tens of thousands of agencies and hundreds of thousands of freelancers and consultants offering WordPress websites without any technical skills.
And it is okay - to some extent, but it also brings the unpleasant feeling of deception or a shocking surprise once a website is being hacked, runs way too slowly, or receives various reports for broken features, notices on the screen, extensive CPU usage and more.
Building Solutions Prior to WordPress
Web developers back in the day had a different process for building web solutions. One was required to build the look and feel of an application, which usually required a designer capable of crafting a somewhat decent design. Then, a front-end developer turned that design into a template - dealing with all of the complexities of browser compatibility (some still remember Internet Explorer 6) and even mobile websites before Responsive was cool.
Backend developers got their hands dirty by building the infrastructure - a custom database for everything needed for a website, a users/roles model for different capabilities, an administrative panel for controlling the dynamic aspects of the website, routers, and other areas for data management and access control. Together with a frontend guy they worked closely to integrate the backend with the frontend, which often resulted in refactoring and rebuilding certain components in a way that fitted the proposed design.
More complex infrastructures required other skills from system analysts, network engineers and server administrators who were responsible for the servers layer, deploying an application and dealing with the continuous upgrades, file and media management, and more.
In other words, sites took much longer to be developed and required a diverse set of skills from different people, each one specializing in a given specialty, essential to the web development process.
Fast-forward to late 2015 and that process is still being used in major companies and organizations, as well as web studios building Java, ASP.NET MVC, Ruby on Rails applications. Due to the social aspect of the web game, developers are now responsible for building APIs, integrating various payment gateways, implementing analytics and prediction APIs, dealing with machine learning and context-specific data provisioning. Some of the common elements being used over and over again are now available in frameworks or provided as extensive libraries in order to cut the development time and leave some buffer for the new technical challenges that are still being tackled actively.
And in the WordPress space, the development can take minutes to hours until a complete website can be deployed on a server, with everything needed as per the client’s requests.
The Disconnect With WordPress
While it’s perfectly okay to build a solution on top of WordPress without any development skills, being unable to assess the infrastructure and the gotchas behind the curtains makes it risky for one to provide web applications.
Successful marketers and site builders who started providing WordPress-driven solutions focused on one thing: customer goals. Because, after all, the most important thing for a web application is to solve problems and generate revenue for the business - either directly or through another model building audience, reselling services or strengthening the brand name.
And speaking of goals, let’s list some of the common ones for many business owners:
1) Growing the traffic of a website for branding/advertising purposes
2) Growing the customer base in order to provide specific features for registered users
3) Building an eCommerce solution for selling physical or digital goods
Those can be accomplished in different contexts - from simple blogs or media outlets, through to various eCommerce solutions, membership sites, forums, social directories, groupon-alike solutions, crowdfunding campaigns, stock photo galleries and more. Each of the solutions could serve as a marketing channel, a direct revenue stream or a complimentary product to another solution ran by a customer.
What Can Go Wrong?
While there are different possible answers to this questions, here’s a counter-question for you:
How well do you know the internals of WordPress and the themes and plugins that you use?
Probably the WordPress Core is the most actively maintained project in your stack. But WordPress is a generic CMS meant to serve generic needs to a broad audience. Therefore, the platform has been designed in a way that solve as many problems as possible, regardless of the fact that you may only utilize 20% or 30% of it.
WordPress plays the generalization game: the core solution is meant to serve the needs of many audiences, different groups of clients and different types of projects. There is no easy way to disable a specific feature - say, if you don’t need comments, they will still exist in your project. As a project grows, this may have an impact on the website’s speed or cause security issues.
But hey, I know that the WP team are a bunch of cool guys who take a great care of me! I also use Akismet, which comes preinstalled with WordPress, so I’m totally good to go!
As a true myth buster, I’ll point you to a security report by Sucuri from early October that proves that WordPress poses a massive WordPress vulnerability with Akismet activated which could lead to an attacker gaining full access to your website. If you are not a technical expert, the gist of it is that a malicious commenter could inject a script in a comment, and once you hover on it in your admin dashboard, it could execute different activities on behalf of your administrative profile. With the coming WP-API this would be enough for attackers to delete your posts, fetch some of your users (stealing personal data) or play other games with your website while taking over it.
Fortunately, this is not that common and always keeping your core and plugins up to date helps prevent an attack. The risk is present though, and you could be a victim of a massive distributed attack just as the one that infected hundreds of thousands of websites running Gravity Forms several months ago.
Problems Happening to WordPress Users
WordPress, being the most popular and widely used web platform worldwide, has one main drawback: hackers love it. With probably over a hundred million websites out there, it is the perfect target for attackers, as they can fire the shotgun and aim for a large number of websites that could be prone to a number of vulnerabilities.
Some come from Core (rarely, usually if it’s not updated), others aim at plugins and themes, or target your shared hosting - or a number of APIs that you may use such as social media integration scripts, analytics, and advertising platforms. The more feature-rich your platform is, the more possible attack vectors exist.
There are various situations when your server goes down due to traffic flood or a poorly configured firewall. Additionally, issues in the networking layer - both from a hardware, and software standpoint - can lead to DDoS attacks, slow request parsing, limited pools of workers processing single requests and more.
Dealing with different network protocols could be handy for optimization, as well as implementing additional caching layers that serve cached data only for HTTP requests or redirect traffic for secure connections within the internal network. Being unable to identify similar problems would likely result in a poorly configured network that affects your infrastructure immensely.
Web Server Problems
Your web server is responsible for processing incoming requests and serving data - usually some media or HTML to be rendered by your browser. However, information could be parsed in different ways, cached on the server or in your network.
Occasionally there are adjustments that could be made to your server for security and performance improvements - reducing the hardware resources and taking advantage of context-specific situations that could help you to serve content in a better manner.
Modern web servers such as nginx could be leveraged for caching or used as reverse proxies, interconnected with other servers and configured in a way that pulls data without triggering PHP requests, redirecting connections internally, setting additional headers, processing cookies, making decisions based on the internal requests. A default server stack usually serves the general public, but doesn’t provide unique benefits for your install, and often causes slower load times that reflect in your Google SERP ranking.
The WordPress database schema is fairly generic, which makes it suitable for all sorts of applications. However, searching or filtering based on custom fields with serialized data is a challenging task, and some data is simply meant to live in separate tables - as seen in popular premium plugins dealing with eCommerce, multilingual content, logging data or performing analytics calculations.
While most plugins tend to solve problems most of the time, you need additional know-how for optimizing those for better performance, storing data through prepared statements for security and decoupling large volumes of data in a way that makes it possible to handle the higher load without buying expensive servers.
WordPress is also a generic platform used by bloggers, eCommerce stores, multisites, large media outlets, social networks and even SaaS software. However, the larger a project grows, the more a standard approach doesn’t seem to be the best fit for customers.
Some plugins load generic information for admin views - such as the dashboard, or the Add Post screen - and cause a page to load for 5, 10, 20 seconds or even more. One of my Core contributions was a patch that fixed hierarchical posts in the admin view that used to take 15 minutes (yes, minutes!) for a clients’ site that was quickly reduced to seconds after the patch was applied.
The frontend is often clumsy, scripts are being loaded everywhere (just in case, regardless of whether you use them or not), and widget data management is not always optimized.
Being aware of how WordPress processes requests, what is being triggered and what could be improved for a specific site would reduce your regressions and incompatibility issues, speed up a site and strengthen the security of the platform with its flexible capabilities.
Premium themes are often bloated with tons of scripts, a multitude of sliders and galleries, and often numerous custom post types, taxonomies and other data-related logic that is meant to live in a plugin.
We have been involved with dozens of slow and broken projects where a theme is poorly coded and lacks basic stability countermeasures. One of them triggered over 200 database requests on a single page load of the landing page, while those could have been reduced to 40 or so. This is more than 5 times more internal data processing that affects the CPU usage, the RAM memory, requires a significant time to load and delays other requests since PHP and MySQL are busy processing the same information over and over again. Loading megabytes of styles or scripts for each request is often not necessarily and can be avoided in different ways.
Plugins have similar characteristics, especially if you use a small fraction of what a plugin offers. Since the WordPress.org repository doesn’t validate the plugin logic extensively - it runs basic checks on the initial commit for security issues or copyright infringement - people can submit whatever they want.
Most of those plugins work fine for tiny sites in an isolated environment, but once you start building more complicated solutions with a lot of data using a number of random plugins, you can face plenty of mixed requests, malformed global variables, significant database loads, incompatibility or errors in many page requests and so forth. Being unable to identify the algorithm behind a plugin would prevent you from taking a concise decision and may lead to security breaches, lost data, polluted error logs and lack of backwards compatibility when updating WordPress or the plugins (sometimes that ends up with a fatal error that could be fixed only with file access through ssh or SFTP).
And this is barely scratching the surface. There are various issues related to your server stack (including the I/O operations to your hard drive), process management from your OS, communication with other devices, integration between different platforms, servers and services and more that require sophisticated know-how of the underlying layers.
Software engineers - people who live and breathe the craft of building different applications, come with different mindset and background which helps them to produce high-quality products.
Software and Web Engineers
When I talk about software engineers, I don’t refer to people with a Computer Science degree from an elite university. A university often lacks a modern program that focuses on business needs and is occasionally too theoretical and slightly dated. However, universities cover some basic ground and provide the logical thinking required for building desktop or web applications.
Moreover, there are plenty of free video courses and dozens of incredible books that will help you with that. In our training courses, we provide a curriculum for about six months covering most of the important concepts that a web developer needs without having to spend four years in an elite university.
And here are some of the main things that we use on a daily basis - a skill set that we apply while building applications, that helps us to pick the right solution, analyze an existing library or build something custom tailored to the customer needs and growth plan in the long run.
Understanding the hardware and networking layer behind your application is important. A WordPress website is built on top of an operating system (often Linux), stores data in MySQL, uses the PHP programming language and runs on a web server such as Apache or nginx. All of the above require disk space and server resources such as CPU and RAM.
Different hardware configurations cater for different needs. Knowing what is stored where and how it impacts a server would help you to pick the right stack, plan for the long run and anticipate potential issues that may arise. Understanding the limitations of a shared hosting is important for the results delivered to your clients, and picking the right VPS or cloud infrastructure is easier when you know what your platform needs the most.
Operating systems interact with the hardware by providing the kernel, a set of drivers for different devices, and a file system for storing data and a way for applications to run and leverage memory, interact with other processes and make use of server resources.
Understanding how the OS works would reveal the difference between mod_php in Apache and php-fpm that works both with Apache and other web servers, when it’s better to use a module that lives within the Apache process and when it makes more sense to decouple those for serving non-PHP data and managing process pools. Data allocation management, custom processes, cron jobs and user permissions and roles are used at all times and rely on the OS layer. Often solutions could be stored locally and regularly fetched with a cron request or a simple script gathering data that is not directly connected to the WordPress core.
While you may not be completely interested in how the binary data runs through a cable or what a network package consists of, those may be important for many projects. Understanding the seven layers of OSI, how SSL works behind the curtains and the performance impact of network requests are common challenges in the modern world.
The adoption of IPv6 is gaining popularity due to the lack of free IPv4 addresses, and often your remote service calls or general data processing relies on the IP protocol. Understanding ports and sockets could help you configure your networking stack better, pick UDP over TCP for multimedia streaming, implement server filters or firewalls that would improve your speed and increase your security, and could help you benchmark and test various technical scenarios for API-oriented projects.
WordPress provides a neat interface for interacting with the database and plenty of ways to trigger SQL without actually understanding its syntax, but it’s important to know how is data stored, managed and fetched for all requests. Occasionally using WP_Query or another query class, or a function such as get_posts may be the way to go, but more complex filters or search queries require a better way for selecting data - especially when dealing with custom tables and performing operations on a large pool of data.
Cleaning an outdated website can often be performed just by cleaning the database - outdated posts (with their corresponding postmeta) that are no longer available due to a deactivated plugin, hundreds of thousands of transients used for caching, or users from an old social media plugin that is no longer needed.
Queries can be optimized drastically by adding a “where” clause through a filter, or replacing a long loop with queries with a single query or two that could reduce the load time of a complex request with minutes.
PHP is a fairly liberal programming language that doesn’t expect you to know a complicated collection of classes and interfaces in order to build a map or a tree, and you can still implement a generic version purely with arrays.
However, data lives in different forms - sometimes in the filesystem, or a yaml/json file, in the database (sometimes a NoSQL one), an XML file or a SOAP response, in a caching server and so on. Being able to craft data requests and parse responses, filter data and prepare the right data structure is important for each application that deals with data, and since WordPress is a Content Management System, Data is its primary tool for communication.
PHP provides decent implementations for most common scenarios and algorithms needed for sorting or searching data. However, analytical thinking is often needed for building a plugin, decoupling the components properly and ensuring that the entire request is being processed properly, without unnecessary overhead.
Some applications require utilizing external APIs and authentication protocols, sifting through remote data or server logs, crafting performant requests or dealing with encryption, data encoding, image manipulation on a low level, archiving or hashing resources and other activities that don’t come up with a clean or suitable implementation for business cases.
On top of the theoretical knowledge being executed throughout lab exercises and course projects, most reputable schools and universities employ knowledgeable people from the industry. In a practical exercise, there are plenty of best practices taught during a class and pointed out during a project.
I still recall a project I built some ten years ago where I built an automotive maintenance application in Java with a software application managing data, a view-only web tool and a custom database layer. I used the brand name as the main search key and unique identifier. My mentor pointed that out multiple times until I realized that it’s a foolish error that would prevent the search engine from working whenever I had two or more cars from the same brand, and only the first one would always be fetched during search.
It’s a trivial error that I still remember clearly, and it was not obvious in my application using only a few cars by different vendors. However, in a production scenario, this would have been a deal breaker.
I led a training course for a bank in 2008 and I noticed that one of their internal systems had some odd database problems. Employees were reporting some edge cases where data wasn’t stored successfully, or wrong entries were fetched for specific record IDs. After inspecting the database, we found out that the developers stored some internal information starting from records 100,000 to 104,500 dealing with internal variables and configuration parameters. The system used to work just fine for the first 100,000 records and then the autoincrement index kept incrementing by one and overlapping with data that wasn’t extracted in a separate table. Solving the database schema and increasing the index fixed the problem, but over the years we have identified similar major flaws in telecom and bank applications, automotive manufacturer systems and even government projects and large media outlets due to common software engineering knowledge and basic planning.
If you provide WordPress services for your clients without working with other niche experts or in-depth knowledge of your own, this may still work for small clients and generic cases. However, your clients may be at risk of losing data or marketing opportunities, suffering various attacks or being unable to grow a product naturally.
I would like to personally ask each and every one of you to invest in your own education, become a better software engineer, be more confident when building solutions and more responsible to your customers.
This would improve your own process and planning, allow you to identify loopholes in server configurations, investigate problems by debugging all underlying layers and provide custom unique solutions for your clients. As a result, your services will be more rewarding and in demand, and you will establish a consultancy that serves the business benefits without affecting other aspects of the technical infrastructure delivered by you.